Brief Terms of Reference Cyber Security Professional's Supply and Demand Assessment - Sri Lanka CERT
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Brief Terms of Reference
Cyber Security Professional’s Supply and Demand
Assessment
1. Background
With the rapid development of the Information and communication technology
during the last decades, online services delivery and online social engagements have
grown exponentially. Along with the numerous rewards that digitalization provides,
there are threats and risks emerging where it is almost impossible to terminate the
negative impacts. The fiscal institutions, defence agencies and the government
institutes have become the primary targets of the attackers nowadays. Hence the
cyber hazards should be identified beforehand and should be taken precautions in
advance. Most of the attacks turn out to be successful due to the lack of awareness and
lack of skills of the people who are handling these ICT systems.
In this context, it is necessary to ensure the availability of a cadre of knowledgeable
and highly skilled professionals in the field of information and cyber security domain
to protect, detect, defend and respond to these cyberattacks. It has been proved from
the researchers conducted by universities, research institutes and other academic
organizations all over the world that there is a vacuum in information security experts
in the field. In 2016, a skills gap analysis from Information Systems Audit and Control
Association (ISACA) estimated a global shortage of 2 million cybersecurity
professionals by 2019. As per the Global Cyber Security Index (GCSI), Sri Lanka
requires to expend much effort on building overall human resource capacity to
combat emerging cyber threats.
In Sri Lanka, to date, there are lack of initiatives to address the domestic shortage of
cybersecurity experts. Therefore, Sri Lanka CERT aims to conduct a national level
survey to analyse the gap between the supply and demand of information and
cybersecurity professionals in the industry. Results of this analysis will be utilized by
Sri Lanka CERT to formulate appropriate strategies and policies to fill the supply and
demand gap of cyber security professionals of the country.
2. Aim and Objectives of the Study
The aim of this study is to obtain services of a consultancy firm to assess the supply
and demand of the information and cyber security professionals of the country and to
formulate a strategy to fill the gap.
The specific objectives of the study include,
(a) Data gathering and Analysis of the supply of professionals for the Information and
Cyber Security related job roles.
1(b) Data gathering and Analysis of the demand for the Information and Cyber Security
professionals in the job market.
(c) To analyze the gap between supply and demand of information and Cyber Security
professionals.
(d) Formulate an operational strategy to fill the gap between supply and demand of
Information and Cyber Security professionals in Sri Lanka.
3. Scope of Activities
3.1. The consultant shall identify and closely work with the key stakeholders in this
domain relevant to the assignment. Key stakeholders should include but not
limited to, Industry representatives (E.g.: FITIS, SLASCOM, Industry Skills Sector
Council etc.), Tertiary and Vocational Education Commission, Department of
Man Power and Employment, universities, private sector institutes, government
organizations, private firms, and recruitment agencies.
3.2. The consultant shall closely work with the Project Steering Committee (PSC)
appointed by Sri Lanka CERT.
3.3. The consultant shall develop a suitable study approach to analyze the supply and
demand of information and cyber security professionals. The consultant shall
use a wide range of data collection methods including, review of secondary
documents (E.g.: labor market reports, Vocational Education and Training
Plans/reports), case study analysis, surveying and interviewing the relevant
officers, focus group discussions with key stakeholders and so forth.
3.4. The consultant shall review the previous studies with similar scope that has
been done by government and private institutions and adopt the best practices
from those studies.
3.5. The consultant shall provide a detailed study implementation plan outlining all
the steps involved in the design and implementation of the study, including a
project time schedule and resource plan, and outlines of the instruction manuals
for enumerators to be developed.
3.6. The consultant shall propose a suitable sampling strategy for the study. The
consultant shall justify the appropriateness of the sample to the PSC. The sample
should adequately represent various industry sectors and the total population.
(The consultant shall refer an internationally accepted classification schemes
such as International Standard Classification of Occupations (ISCO))
3.7. The consultant shall propose a suitable methodology to collect data for the
study. The consultant shall collect data from primary, and secondary sources.
3.8. Consultant shall develop a suitable research instrument, and approval shall be
sought from the PSC before the implementation.
23.9. The consultant shall pre-test the survey/interview questionnaire and re-
estimate the sample size. After the pre-test, if necessary, revise the
questionnaire and documentation. If necessary, adapt the sample size to ensure
that final results will be of statistical validity and representative. A test of data
entry (data entry program and procedures) must also be included in the testing
procedures.
3.10. The consultant shall find out through a study on how many information security
professionals are qualified/certified/graduated during the last five years from
both the government and private universities/institutes. The consultant is
supposed to consider the total population.
3.11. The consultant shall find out through a study that how many individuals get the
industry certifications on information and cyber security domain.
3.12. The consultant shall provide a total calculation on how many occupations are
available for information security professionals in private and government
sectors per year during last five years. These job positions should be taken from
different sectors such as finance, defence, health, ICT, power and energy etc.
3.13. The consultant shall consider the diversities among the professionals such as
gender, age and demographic profiles when producing the results.
3.14. Based on the analyzed data the consultant should be able to provide the industry
sector vise demand of the information and cyber security professionals on
deferent domains (E.g.: Application security, Network security, Mobile security)
3.15. Based on the analyzed data the consultant should forecast the supply and
demand of the information security related job role at least for next five years.
3.16. The consultant should develop a five-year operational strategy to fill the gap
between the supply and demand of information and cyber security professionals
in the country.
3.17. The consultant shall enter collected data via database software. The software
must be able to verify ranges and consistency of the data and generate reports
indicating missing data, data outside of the accepted ranges, and inconsistent
answers. Clean data records and verify that the sample is still sufficient for
reliable statistics. The ownership of the database shall be remained with Sri
Lanka CERT.
3.18. The consultant shall be responsible to implement all possible quality control
measures in the study to ensure the quality, reliability and validity of data
collected and analyzed.
33.19. Final study findings shall be in English. The report must contain descriptive
statistics of all variables of the survey, cross tables, and graphs, as well as
qualitative presentations. Selected variables should be presented by graphs
and/or correlation measures, on thematic maps. A critical review of the
methodology, realization, and results should be given, together with
recommendations for improvement. The report must be submitted in electronic
form and as a hardcopy.
3.20. The consultant shall deliver a presentation at Sri Lanka CERT|CC to present and
discuss Final Report findings, when specified by Sri Lanka CERT|CC. These
presentations should be delivered as validation presentations for the industry
experts when necessary.
4. Qualification of Key Staff
4.1. Consultant is free to propose the number and structure of experts appropriate
to his implementation approach, provided that the team properly covers the
above mentioned functions. The suggested minimum number of staff,
qualification and experience required for this assignment is presented in the
table below. Additional marks will be allocated for the strength of the team
proposed by the consultant.
4.2. Positions to cover other project functions must also be presented in the bid,
including the number of staff, their input in terms of staff days, and their work
schedule. Particular persons must be nominated according to their roles and
responsibilities and their CVs must be included in the proposal. A description of
an appropriate organization structure, team collaboration arrangements and
project management functions must be included in the proposal.
4Minimum Experience
Key Staff Minimum Academic Minimum Number of
Qualification Assignments
Conducted
Minimum 3 years
Project Bachelor’s Degree from At least 3 studies
demonstrated experience in
a recognized university with similar scope
Coordinator managing research projects
Chief Master’s Degree from a Minimum 10 years of 5 national level
Consultant recognized university demonstrated experience in studies specially in
baseline study/ the areas of ICT.
impact/outcome evaluation
study.
Demonstrated experience in Experience in
conducting supply and conducting 3
demand assessments similar studies
Demonstrated experience in
designing research,
developing surveys and
qualitative questionnaires,
collecting data through
surveys and interviews/focus
groups, analyzing data,
interpreting data.
Demonstrate experience in
developing strategies and
policies.
Ability to interpret
quantitative, qualitative and
mixed methods data.
Excellent oral and written
language skills (Sinhala
/Tamil and English)
Ability to write similar
evaluation reports
Statistician Master’s degree in Minimum 5 years 5 national level
cum statistics/qualitative demonstrated experience in studies
Qualitative data from a recognized statistical analysis/qualitative
data analyzer university data analysis and national
level research/project
evaluations
Enumerators Diploma or higher Demonstrated experience in Participated in at
qualification from a conducting face-to-face least 5 studies
recognized institute interviews and surveys
Excellent language skills in
Sinhala, Tamil and English.
5. Key Deliverables and Payment Schedule
Duration of the assignment is 12 weeks.
5Phase/ Task Deliverable Deadline Payment
Reports
Develop the Inception Report including the work Contract 5%
Inception Inception plan and the overall approach to the date + Week
Report report study 1
Develop the Report including the detailed study Contract 5%
Interim
Conceptual approach, conceptual framework, date + Week
Report I
Framework research method, interview/survey 3
to assess the questions, sampling strategy
supply and
demand gap
Assess the Supply of information and cyber Contract 15%
Interim
Supply side security professionals date + Week
Report II
Present findings 6
Assess the Demand for information and cyber Contract 25%
Interim
Demand side security professionals date + Week
Report III
Present findings 8
Analyse the Analyze the gap between the supply Contract 20%
Interim
gap between and the demand date + Week
Report IV
the supply Present findings 10
and the
demand
Operational Final report proposing the strategy to Contract 30%
Final
Strategy fill the gap between the supply and date + Week
Report
demand of information and cyber 12
security professionals in the country.
Present the report
6You can also read
